I Think I May Have Encountered A High Tech Criminal

[waza]

Sorry , I can't offer any advice on "skimming " of your cards. It does seem though, that criminals always seem to be a step ahead, with plastic card technology.

I would suggest that if you have Debit cards, that you don't keep a large amount in the Bank account that it draws from, better to have a deposit type account which can't be accessed by card. As for Credit cards, keep the amount that you can borrow on it as low as you can. Using both these methods will ensure that if you are a victim, then the amount lost will be relatively small.

I do hope your fears are unfounded, though it's worth remembering, that if you do get in trouble in Pattaya, there's always plenty of ex-SAS and ex-US special forces chaps you can call on for help !!

and dont forget the Farrang volentary police

[seekingfriends]

I had a couple of credit cards arrive recently with a little 'wireless' logo in the corner and the words "Pay Pass". <deleted>?

A little Googling and I discovered it's a quick-pay method for small amounts: no signature, no PIN, no CVV required.

I didn't request this 'feature and didn't like the idea, so these cards have been relegated to backup/online use and I keep them in my room unless I'm travelling when I made a little wallet for them out of a small CC-sized zip-lock holder (B2S) wrapped in tin foil and covered with duct tape.

I don't think the Pay-Pass system has reached Thailand yet, and I'm being overly paranoid expecting the local crooks to be that far ahead of the game, but I am ready for when they do catch up.

(Just checked: Visa = Pay Wave, MasterCard = Pay Pass)

we are using this pay pass system in australia for small amounts under 100 dollars .james

[bendejo]

... When he went for my wallet and I moved it away, he said don't worry.

...

This was where you should have asked "what is it I shouldn't be worried about?"

He'll probably step into his own cleverness and say something like "no worry about stealing." Then you ask more about this stealing he brought up.

[scorecard]

Reminds me of an incident 30 years back in an Indian tailor shop in Singapore.

I was just browsing , not serious, was on my mind to maybe have a suit made.

The owner said something like 'you like this fabric?'

My answer something like 'yes, quite nice'.

Then I suddenly realized that another guy was measuring my approx. height and another guy had taken the same roll of fabric off the shelf and way about to start cutting.

I quickly said 'stop' I haven't inicated that I want to proceed. They all look so shocked.

Then I suddenly realised one of the shop assistants was standing alongside me with my wallet. When he saw that I had noticed my wallet in his hand he said 'never mind sir I take care for you'.

I grabbed my wallet and fled.

[Swiss1960]

The problem is that now they can scan the details from your cards while it in your wallet and in you pocket, as a result there is a growing business in scan proof wallets.

Yes, that is my understanding. But I wasn't thinking about that at the time as I haven't been exposed to that issue lately.

guys... guys... guys... don't panic, don't get paranoid....

Yes, there are readers that send out RF waves and can activate your contactless card to talk with the reader... but those readers work over distances up to 10m, depending on the signal strength they send out... But they can not scan the details of your card in your wallet!!

What they can do is talk with the RFID functionality on your card and create responses from your card (not even transactions) which would include a CVV3 value. What they can do is create a few hundred such responses within few minutes of scanning your card. BUT this is not a big deal!

What they then can do is load these responses to special devices and go to contactless POS terminals and do replay attacks... BUT depending on the settings of four different values used to create the CVV3 and checking transactions from your card, the probability of such a replay attack is that 1 out of 10'000 responses they scanned will be a working response... and give them the opportunity to make ONE single transaction of normally less than 40CHF / 25$ / 25€ ...

just not (yet) worth the effort of doing this, as other options for fraud (spying PIN codes on ATM's, scanning magstripes specially from US cards without EMV, phising card numbers and CVV2 on the Internet etc.) are widely available and create much higher profits.than contactless transactions. And since contactless cards have max amounts of offline transactions and then require online authorisation with (normally) PIN code checking, the chance of such a replay attack is even more diminished...

So... risk analysis we have done for our contacless cards (and we are roling out tens of thousands) shows no risk to worry about... even spending money for a "protective wallet" is not worth it... your bank only needs to set the parameters according to the security recommendations given by VISA / MC.

[Swiss1960]

by the way... for techies here... high tech was the attack by a Cambridge University PhD who published an article few years back saying "Chip and PIN is cracked"...

He actually managed to mis-use a flaw in the EMV protocols of POS terminals and was able to do a Chip and PIN transaction without actually knowing the PIN code...

When we analyzed, we found out that he needed a genuine credit card, a card reader attached to a laptop from where a cable was attached to the chip of a dummy card which he had to input intto the chip reader of the POS without the sales person seeing the cable.... the dummy card did route the communication between terminal and card to the laptop where the fraudster could change some values of the transaction flow telling the card that it had a successful online PIN transaction but telling the terminal the it was a offline PIN transaction authorized by the card...

THAT was hightech!!! Actually, this was so hightech, that we have NEVER seen any fraudster using this kind of attack... and we later could read that this PhD did the attack and the article, because both VISA and MC had previously declined funding for his PhD work...

[phaethon]

My policy with new technology, be it operating systems, vehicle ABS, or banking, is to let several million people field test it first and find and post problems and/or fixes on Internet boards. I haven't the time to play guinea pig and there are lots of early adopters out there to do the job for me. I'm in no hurry.

[Scully]

Probably just looking for the amount of cash you were carrying.

Once you have left the shop he or his accomplice "accidentally" bump into you and knowing which pocket you carry your wallet makes easy pickings.

Tried and trusted method from a misspent youth .

[Swiss1960]

My policy with new technology, be it operating systems, vehicle ABS, or banking, is to let several million people field test it first and find and post problems and/or fixes on Internet boards. I haven't the time to play guinea pig and there are lots of early adopters out there to do the job for me. I'm in no hurry.

Well, I won't dispute your policy... but please remember that you will find dozends or hundreds of reports from unhappy customers (as in this example), but the "real" issues will stay unknown and the tens of thousands of happy customers will never post their experience...

contactless cards are not new technologies, they exist for years in various flavours, see for example the contactless Oyster smartcard (London transport) which even exists as part of Barclay card credit cards since 2007... (first Oyster card was issued in 2003...)

[somchai69]

Reminds me when i went to Vientiane on a visa run, a moroccan man went with me to the consulate and he just couldn't keep his hands off me over half an hour, i was massively uncomfortable.

:whistling: :whistling:

Whatever floats your boat.

[Ulysses G.]

I remember the first time that I came to SEA, I was all paranoid about all the scams they tell you about in the Lonely Planet and I was traveling by first class train in Malaysia and drinking a bottle of Evian water.

One of the other passengers - who was not a Westerner - kept asking me if he could look at my bottle of Evian which he seemed to find facinating. I would not let him touch it as I was sure that he was going to injest it with knockout drops and could not figure out why anyone would be interested in Evian water - which seemed like a very common thing to me.

Years later I realized that Evian water was probably not sold in Malaysia at that time and that the whole thing was innocent and that I had embarrased him by not letting him look at it. However, I still do not regret turning him down and would do the same thing today.